Rolling
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Rolling
• Windows 8.1• IDA 6.6
• Kali Linux adm64• EDB ( 動態調適器 )
Libc 6 required• To solve it, add the following line to the sources.list:• deb http://ftp.debian.org/debian sid main
• Then install a new linbc:• apt-get update• apt-get -t sid install libc6-dev
main
4006c7
Call rax?• 轉動態調適• 過 4006c7 直接 F7 進 call rax
• 觀察 1• 參數給 test
• "57 102 108 97 103 115 115 116 97 114 116 119 105 116 104 57", • which is "9flagsstartwith9"
• 觀察二• Start with 9: 參數給 “ 9abc123”• rax 指向另一檢查 function
結論• 開頭是 9447• 接下來 ith char 都 relate 到 (i-4)th char• 用 (i-4)th char + {offset}• Offsets: +57 +59 +56 +53 -9 -1 -5 -3 +10 -8 +14 +5• => flag is: “9447{9447rollingisfun}”
Ref.• http://theevilbit.blogspot.tw/2014/12/9447-ctf-2014-writeup-reversi
ng-125100.html
Related Documents
